By playing CSAW CTF you always learn something new (at least myself). Hope you enjoy it: http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html -- DanUx

I guess this would be a good opportunity for me to mention my research on the topic: Protocol-level evasion of web application firewalls http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-application-firewalls.html On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx@gmail.com> wrote: > By playing CSAW CTF you always learn something new (at least myself). > > Hope you enjoy it: > > http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html > > -- > DanUx > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Ivan Ristić

On 4 October 2012 10:40, Ivan Ristic <ivan.ristic@gmail.com> wrote: > I guess this would be a good opportunity for me to mention my research > on the topic: > > Protocol-level evasion of web application firewalls > http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-application-firewalls.html I like the table Danux has showing what order the various languages/technologies parse the parameters and was wondering if anyone had a table like this for WAFs, that way it would be a lot easier to match the language and the WAF and know what ordering to use to bypass it. Robin > > On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx@gmail.com> wrote: >> By playing CSAW CTF you always learn something new (at least myself). >> >> Hope you enjoy it: >> >> http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html >> >> -- >> DanUx >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > -- > Ivan Ristić > > > > This list is sponsored by Cenzic > -------------------------------------- > Let Us Hack You. Before Hackers Do! > It's Finally Here - The Cenzic Website HealthCheck. FREE. > Request Yours Now! > http://www.cenzic.com/2009HClaunch_Securityfocus > -------------------------------------- >

On Mon, Oct 8, 2012 at 10:51 AM, Robin Wood <robin@digininja.org> wrote: > On 4 October 2012 10:40, Ivan Ristic <ivan.ristic@gmail.com> wrote: >> I guess this would be a good opportunity for me to mention my research >> on the topic: >> >> Protocol-level evasion of web application firewalls >> http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-application-firewalls.html > > I like the table Danux has showing what order the various > languages/technologies parse the parameters and was wondering if > anyone had a table like this for WAFs, that way it would be a lot > easier to match the language and the WAF and know what ordering to use > to bypass it. According to my reading of the blog post, the "WAF" in question was a simulation. In reality, I wouldn't expect that you'd be able to bypass a WAF by providing multiple instances of the same parameter. The expected behaviour is that all such values are inspected. Where it gets tricky is when you are able to split the payload across two or more parameter instances, and you're attacking an application that will combine the values into a single string. That could be handy for bypassing WAFs, but it depends entirely on being able to craft a payload that will not be detected in "pieces". > Robin > > >> >> On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx@gmail.com> wrote: >>> By playing CSAW CTF you always learn something new (at least myself). >>> >>> Hope you enjoy it: >>> >>> http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter.html >>> >>> -- >>> DanUx >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> >> >> -- >> Ivan Ristić >> >> >> >> This list is sponsored by Cenzic >> -------------------------------------- >> Let Us Hack You. Before Hackers Do! >> It's Finally Here - The Cenzic Website HealthCheck. FREE. >> Request Yours Now! >> http://www.cenzic.com/2009HClaunch_Securityfocus >> -------------------------------------- >> -- Ivan Ristić

Regarding combining parameters, ASP and ASP.NET and a couple of others do this by default by creating a comma separated list. This behavior of combining parameters was mentioned in Stefano di Paola and Luca Carettoni's original talk on this topic at OWASP AppSec Poland in 2009. They list which specific platforms do/do not do this on slide 9 of their talk. If people are aware of others, I'd love to know about them. Their presentation is here: https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf I don't know if this slide is also published somewhere on the web, but if it isn't, it should be. It’s a very useful reference for this kind of research. Since it’s a PDF, I can't simply cut / paste the text and include it here. If someone wants to get this info on to a public page so its easier to find/use, I'm sure we can get the original presentation from Stefano. -Dave -----Original Message----- From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Ivan Ristic Sent: Monday, October 08, 2012 3:55 PM To: Robin Wood Cc: Danux; web security; pen-test@securityfocus.com; webappsec@securityfocus.com Subject: Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution On Mon, Oct 8, 2012 at 10:51 AM, Robin Wood <robin@digininja.org> wrote: > On 4 October 2012 10:40, Ivan Ristic <ivan.ristic@gmail.com> wrote: >> I guess this would be a good opportunity for me to mention my >> research on the topic: >> >> Protocol-level evasion of web application firewalls >> http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-appl >> ication-firewalls.html > > I like the table Danux has showing what order the various > languages/technologies parse the parameters and was wondering if > anyone had a table like this for WAFs, that way it would be a lot > easier to match the language and the WAF and know what ordering to use > to bypass it. According to my reading of the blog post, the "WAF" in question was a simulation. In reality, I wouldn't expect that you'd be able to bypass a WAF by providing multiple instances of the same parameter. The expected behaviour is that all such values are inspected. Where it gets tricky is when you are able to split the payload across two or more parameter instances, and you're attacking an application that will combine the values into a single string. That could be handy for bypassing WAFs, but it depends entirely on being able to craft a payload that will not be detected in "pieces". > Robin > > >> >> On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx@gmail.com> wrote: >>> By playing CSAW CTF you always learn something new (at least myself). >>> >>> Hope you enjoy it: >>> >>> http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter. >>> html >>> >>> -- >>> DanUx >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp >>> sec.org >> >> >> >> -- >> Ivan Ristić >> >> >> >> This list is sponsored by Cenzic >> -------------------------------------- >> Let Us Hack You. Before Hackers Do! >> It's Finally Here - The Cenzic Website HealthCheck. FREE. >> Request Yours Now! >> http://www.cenzic.com/2009HClaunch_Securityfocus >> -------------------------------------- >> -- Ivan Ristić This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------

I have an image graphic I that slide here - http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Oct 8, 2012, at 5:09 PM, "Dave Wichers" <dave.wichers@aspectsecurity.com> wrote: > Regarding combining parameters, ASP and ASP.NET and a couple of others do this by default by creating a comma separated list. This behavior of combining parameters was mentioned in Stefano di Paola and Luca Carettoni's original talk on this topic at OWASP AppSec Poland in 2009. They list which specific platforms do/do not do this on slide 9 of their talk. If people are aware of others, I'd love to know about them. > > Their presentation is here: https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > I don't know if this slide is also published somewhere on the web, but if it isn't, it should be. It’s a very useful reference for this kind of research. > > Since it’s a PDF, I can't simply cut / paste the text and include it here. If someone wants to get this info on to a public page so its easier to find/use, I'm sure we can get the original presentation from Stefano. > > -Dave > > -----Original Message----- > From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Ivan Ristic > Sent: Monday, October 08, 2012 3:55 PM > To: Robin Wood > Cc: Danux; web security; pen-test@securityfocus.com; webappsec@securityfocus.com > Subject: Re: [WEB SECURITY] Bypassing WAF via HTTP Pollution > > On Mon, Oct 8, 2012 at 10:51 AM, Robin Wood <robin@digininja.org> wrote: >> On 4 October 2012 10:40, Ivan Ristic <ivan.ristic@gmail.com> wrote: >>> I guess this would be a good opportunity for me to mention my >>> research on the topic: >>> >>> Protocol-level evasion of web application firewalls >>> http://blog.ivanristic.com/2012/07/protocol-level-evasion-of-web-appl >>> ication-firewalls.html >> >> I like the table Danux has showing what order the various >> languages/technologies parse the parameters and was wondering if >> anyone had a table like this for WAFs, that way it would be a lot >> easier to match the language and the WAF and know what ordering to use >> to bypass it. > > According to my reading of the blog post, the "WAF" in question was a simulation. In reality, I wouldn't expect that you'd be able to bypass a WAF by providing multiple instances of the same parameter. The expected behaviour is that all such values are inspected. > > Where it gets tricky is when you are able to split the payload across two or more parameter instances, and you're attacking an application that will combine the values into a single string. That could be handy for bypassing WAFs, but it depends entirely on being able to craft a payload that will not be detected in "pieces". > > >> Robin >> >> >>> >>> On Wed, Oct 3, 2012 at 10:55 AM, Danux <danuxx@gmail.com> wrote: >>>> By playing CSAW CTF you always learn something new (at least myself). >>>> >>>> Hope you enjoy it: >>>> >>>> http://danuxx.blogspot.com/2012/10/bypassing-waf-via-http-parameter. >>>> html >>>> >>>> -- >>>> DanUx >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn >>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp >>>> sec.org >>> >>> >>> >>> -- >>> Ivan Ristić >>> >>> >>> >>> This list is sponsored by Cenzic >>> -------------------------------------- >>> Let Us Hack You. Before Hackers Do! >>> It's Finally Here - The Cenzic Website HealthCheck. FREE. >>> Request Yours Now! >>> http://www.cenzic.com/2009HClaunch_Securityfocus >>> -------------------------------------- >>> > > > > -- > Ivan Ristić > > > > This list is sponsored by Cenzic > -------------------------------------- > Let Us Hack You. Before Hackers Do! > It's Finally Here - The Cenzic Website HealthCheck. FREE. > Request Yours Now! > http://www.cenzic.com/2009HClaunch_Securityfocus > -------------------------------------- > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org